Privacy & Information Security Law Blog

On February 6, 2023, Texas State Representative Giovanni Capriglione submitted H.B. 1844, a comprehensive privacy bill modeled after the Virginia Consumer Data Protection Act (“VCDPA”). The bill could make Texas the sixth U.S. state to enact major privacy legislation, following California, Virginia, Colorado, Utah, and Connecticut. Although the bill closely follows the VCDPA, it departs from the Virginia law in several key areas, most notably in the definition of “personal data” and its applicability.

On February 3, 2023, the California Privacy Protection Agency (“CPPA”) Board unanimously approved for submission to California’s Office of Administrative Law (“OAL”) proposed final California Privacy Rights Act (“CPRA”) regulations released on January 31, 2023 which update the draft CPRA regulations released on November 3, 2022.

On February 1, 2023, the Federal Trade Commission announced that it entered into a proposed order with GoodRx, a telehealth and prescription drug discount provider, for violations of the FTC’s Health Breach Notification Rule stemming from GoodRx’s unauthorized disclosures of consumers’ personal health information to third party advertisers and other companies. This is the first enforcement action taken under the FTC’s Health Breach Notification Rule, which was issued in 2009.

On January 27, 2023, California Attorney General Rob Bonta announced a new enforcement sweep aimed at businesses with mobile apps and other businesses that fail to comply with the California Consumer Privacy Act (“CCPA”).

On January 23, 2023, the California Privacy Protection Agency (“CPPA”) Board announced that it will hold a public meeting on February 3, 2023 regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process, particularly with respect to the issuance of new draft rules on risk assessments, cybersecurity audits and automated decisionmaking.

On January 4, 2023, the Irish Data Protection Commission (“DPC”) announced the conclusion of two inquiries into the data processing practices of Meta Platforms, Inc. (“Meta”) with respect to the company’s Instagram and Facebook platforms. As a result of the investigations, the DPC fined Meta a combined €390 million for breaches of the EU General Data Protection Regulation (“GDPR”) and, following consultation with the European Data Protection Board (“EDPB”), notably held that Meta can no longer rely on the GDPR’s “performance of a contract” legal basis for processing personal data in the behavioral advertising context, a decision that has broad implications for publishers engaged in behavioral advertising in the EU.

On December 21, 2022, the Colorado Attorney General published an updated version of the draft rules to the Colorado Privacy Act (“CPA”). The draft, which follows the first iteration of the proposed rules published on October 10, 2022, solicits comments on five topics: (1) new and revised definitions; (2) the use of IP addresses to verify consumer requests; (3) a proposed universal opt-out mechanism; (4) streamlining the privacy policy requirements; and (5) bona fide loyalty programs.

On December 19, 2022, the Federal Trade Commission announced two settlements, amounting to $520 million, with Epic Games, Inc. in connection with alleged violations of the Children’s Online Privacy Protection Act Rule (the “COPPA Rule”) and alleged use of “dark patterns” relating to in-game purchases.

On December 16, 2022, the California Privacy Protection Agency (“CPPA”) Board held a public meeting regarding the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and other topics, such as the CPPA’s advocacy regarding proposed federal and state privacy legislation.

On November 22, 2022, the Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) announced that it filed comments with the Federal Trade Commission that call for new limits on how companies can collect and use personal information about consumers. The comments were filed in response to the FTC’s request for public comment on its Advanced Notice of Proposed Rulemaking on commercial surveillance and lax data security practices.

On December 6, 2022, the California Privacy Protection Agency (“CPPA”) announced that it will hold a virtual public meeting to discuss the status of the California Privacy Rights Act of 2020 (“CPRA”) rulemaking process and other topics. Anticipated topics for discussion include:

On November 23, 2022, the UK government’s Department for Digital, Culture, Media & Sport (“DCMS”) announced that it had completed its assessment of South Korea’s personal data legislation, and concluded that sufficiently strong privacy laws are in place to protect UK personal data transferred to South Korea while upholding the rights and protections of UK citizens.

On November 15, 2022, the Federal Trade Commission announced a six-month extension for companies to comply with certain updated requirements of the Gramm-Leach-Bliley Act’s Safeguards Rule, a set of data security provisions covered  financial institutions must implement to protect their customers’ personal information. The new deadline is June 9, 2023.

On November 14, 2022, Google LLC (“Google”) agreed to a $391.5 million settlement with the attorneys general of 40 U.S. states over the company’s location tracking controls available in its user account settings.   

The investigation by the state attorneys general found that, between 2014 and 2020, Google misled users by failing to disclose that toggling the “Location History” setting to off did not disable all tracking activities. The settlement noted that Google retained the ability to track users’ location via the “Web & App Activity” setting, and used the information for targeted advertising purposes.

On November 1, 2022, the Federal Trade Commission hosted their annual PrivacyCon 2022, which was available to the public via webcast. The FTC held seven different panels highlighting the latest research and trends in consumer privacy and data security.

On October 31, 2022, the Consumer Financial Protection Bureau (“CFPB”) announced that it will re-open the public comment period on their October 2021 Orders for six large technology companies operating payments platforms to provide information about their business practices. The October 2021 Orders requested that Amazon, Apple, Facebook, Google, PayPal and Square provide information about their data collection and use, their policies for removing individuals and businesses from their platforms, and their policies and practices for providing consumer protections such as addressing disputes and errors.

On November 1, 2022, the Digital Markets Act (the “DMA”) entered into force. The DMA introduces new rules for certain core platforms services acting as “gatekeepers” in the digital sector (including search engines, social networks, online advertising services, cloud computing, video-sharing services, messaging services, operating systems and online intermediation services). The DMA also aims to prevent such platforms from imposing unfair conditions on businesses and consumers, and to ensure the openness of important digital services.

On November 3, 2022, the Federal Trade Commission announced a proposed order to settle an action against an internet phone service provider, Vonage, that would require Vonage to pay $100 million in refunds to customers harmed by its practices, which the FTC alleged included “dark patterns” that made it difficult for customers to cancel their service. The order also would require Vonage to not use dark patterns and provide a simple and transparent way for customers to cancel their service. 

On November 3, 2022, the California Privacy Protection Agency (“CPPA”) released new modified proposed California Privacy Rights Act (“CPRA”) regulations, which make updates to the draft CPRA regulations released on October 17, 2022. The CPPA also released an updated list of documents and other information relied upon for this most recent rulemaking.

On October 28-29, 2022, the California Privacy Protection Agency (“CPPA”) held a Board Meeting to discuss the modified proposed regulations promulgated for compliance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), as well as the remainder of the rulemaking process. The CPPA previously released the modified proposed regulations on October 17, 2022.  

On October 31, 2022, the Federal Trade Commission announced a proposed settlement with education technology provider Chegg in connection with the company’s alleged poor cybersecurity practices. 

On October 1, 2022, the Colorado Attorney General’s Office submitted an initial draft of the Colorado Privacy Act Rules (“CPA Rules”), which will implement and enforce the Colorado Privacy Act (“CPA”). The CPA Rules, which are currently about 38 pages, address many recent issues in state data privacy regulation, including data profiling, data protection, automated data processing, biometric data, universal opt-out mechanisms and individual data rights.

On October 25, 2022, the Federal Trade Commission announced the agenda for its annual PrivacyCon to be held on November 1, 2022. The event will cover consumer surveillance, automated decision-making systems, children’s privacy, listening devices, augmented and virtual reality, interfaces and dark patterns, and AdTech.

On October 24, 2022, the New York City Department of Consumer and Worker Protection (“DCWP”) proposed rules to implement its new law regarding automated employment decision tools (“AEDTs”).

On October 24, 2022, the Federal Trade Commission announced a proposed consent order with Drizly, an online alcohol ordering and delivery service, and the company’s CEO, for the alleged failure to maintain appropriate security safeguards that led to a data breach that affected 2.5 million consumers’ personal information.

On September 23, 2022, New York State Senator Andrew Gounardes introduced S9563, also known as the “New York Child Data Privacy and Protection Act.” The bill, which resembles the recently passed California Age-Appropriate Design Code Act, bans certain data collection and targeted advertising and requires data controllers to, among other obligations, assess the impact of their products on children.

On October 20, 2022, Texas Attorney General Ken Paxton brought suit against Google alleging various violations of Texas’s biometric privacy law, including that the company unlawfully collected and used the biometric data of millions of Texans without obtaining proper consent. The lawsuit alleges that, since 2015, Google has collected millions of biometric identifiers of Texas consumers, such as voiceprints and records of face geometry, through Google’s various products, including Google Photos, Google Assistant and Nest Hub Max, in violation of Texas’s biometric privacy law. Texas’s biometric privacy law prohibits the collection of biometric identifiers for a commercial purpose unless the individual whose biometric identifiers are collected is informed of the collection and provides consent. The law also requires companies to destroy biometric identifiers within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the biometric identifier expires (except in limited circumstances).

On October 18, 2022, the New York State Department of Financial Services (“NYDFS”) announced that EyeMed Vision Care LLC (“EyeMed”) agreed to a $4.5 million settlement for violations of the Cybersecurity Regulation (23 NYCRR Part 500) that contributed to the exposure of hundreds of thousands of consumers’ health data in connection with a cybersecurity event in 2020.

On October 19, 2022, Bloomberg Law reported that the White House is planning to introduce a system to label Internet of Things (“IoT”) devices with information related to the devices’ cybersecurity risk.

On October 12, 2022, New York Attorney General Letitia James announced that her office had secured a $1.9 million penalty from e-commerce retailer Zoetop, owner of SHEIN and ROMWE, following an improperly handled data breach. The Office of the Attorney General of the State of New York (“NYAG”) alleged in its Assurance of Discontinuance that Zoetop failed to properly handle the breach and lied about its scope to consumers.

On October 17, 2022, the California Privacy Protection Agency (“CPPA”) released modified proposed regulations for compliance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA/CPRA”), along with an explanation of the modifications as materials for an upcoming CPPA Board Meeting. The Board Meeting scheduled for October 28-29, 2022, will discuss and take possible action, including adoption or modification, regarding the proposed regulations.

On October 14, 2022, the Federal Trade Commission announced it is extending the deadline by one month to submit comments on its Advance Notice of Proposed Rulemaking (“ANPR”) on commercial surveillance and lax data security practices.

The FTC launched the ANPR in August and has sought public comment on it, including through a virtual public forum held in September.

Comments now must be filed by November 21, 2022.

On October 13, 2022, the Interactive Advertising Bureau (“IAB”) released for public comment an updated version of its contractual framework and new U.S. State Signals (“Signals”) specifications to help the digital advertising industry comply with the comprehensive state privacy laws of California, Virginia, Colorado, Utah and Connecticut.

On October 3, 2022, Google LLC (“Google”) agreed to pay the State of Arizona $85 million to settle a consumer privacy lawsuit that alleged the company surreptitiously collected consumers’ geolocation data on smartphones even after users disabled location tracking. 

On October 21 and October 22, 2022, the California Privacy Protection Agency (“CPPA”) Board will hold public meetings to discuss and take possible action, including adoption or modification of proposed regulations, to “implement, interpret, and make specific” the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 .

On October 4, 2022, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published a white paper outlining 10 key recommendations for regulating artificial intelligence (“AI”) in Brazil (the "White Paper"). CIPL prepared the White Paper to assist the special committee of legal experts established by Federal Senate of Brazil (the “Senate Committee”) as it works towards an AI framework in Brazil.

On September 21, 2022, the Federal Communications Commission (“FCC”) announced a proposed combined fine of $3.4 million against Sinclair Broadcast Group, Nexstar Media Group and 19 other broadcast television licensees for violations of rules limiting commercial matter in children's television programming.

On September 21, 2022, the Federal Trade Commission announced the agenda for its “Protecting Kids from Stealth Advertising in Digital Media” virtual event to be held on October 19, 2022. The event will cover how children recognize and understand digital advertising content; the current advertising landscape’s impact on kids, including potential harms stemming from an inability to distinguish advertising from other content; and an assessment of the current legal regime’s protection of children from potential harms, and whether additional regulatory, self-regulatory, educational and technological tools may provide additional protection.

On September 15, 2022, the Federal Trade Commission released a report analyzing “dark patterns,” or “design practices that trick or manipulate users into making choices they would not otherwise have made and that may cause harm.” The report, titled “Bringing Dark Patterns to Light,” highlights dark patterns used across industries and different contexts, such as e-commerce, cookie consent banners, children’s apps and subscription sales. The report identifies four common types of dark patterns and provides examples of each:

On August 29, 2022, the Federal Trade Commission announced a civil action against digital marketing data broker Kochava Inc. for “selling geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.” The lawsuit seeks a permanent injunction to stop Kochava’s sale of geolocation data and to require the company to delete the geolocation data it has collected.  

On September 15, 2022, California Governor Gavin Newsom signed into law the California Age-Appropriate Design Code Act (the “Act”). The Act, which takes effect July 1, 2024, places new legal obligations on companies with respect to online products and services that are “likely to be accessed by children” under the age of 18.

On September 6, 2022, the California legislature presented Assembly Bill 2392 to Governor Gavin Newsom. AB-2392, which has not yet been signed by Governor Newsom, would allow Internet-connected device manufacturers to satisfy existing device labeling requirements by complying with National Institute of Standards and Technology (“NIST”) standards for consumer Internet of Things (“IoT”) products.

On September 8, 2022, the Federal Trade Commission hosted a virtual public forum on its Advanced Notice of Proposed Rulemaking (“ANPR”) concerning “commercial surveillance and lax data security.” The forum featured remarks from FTC Chair Lina Kahn, Commissioner Rebecca Kelly Slaughter and Commissioner Alvaro Bedoya, as well as panels with industry leaders and consumer advocates.

On July 26, 2022, the attorneys general of New Jersey, Pennsylvania, Delaware, Maryland, Virginia, Florida and Washington D.C. announced an $8 million multistate settlement with Wawa Inc. that resolves the states’ investigation into a 2019 data breach that compromised approximately 34 million payment cards used by consumers at Wawa stores and fueling locations. 

On August 24, 2022, the California Office of the Attorney General (“OAG”) announced a new wave of enforcement efforts targeted at business’ recognition of the Global Privacy Control (“GPC”), and issued an updated summary of recent CCPA enforcement efforts.

On August 29, 2022, the Federal Trade Commission released the agenda for its virtual public forum on the Commercial Surveillance and Data Security Advanced Notice of Public Rulemaking. The forum, to be held on September 8, 2022, seeks “public comment on the harms stemming from commercial surveillance and lax data security practices and whether new rules are needed to protect people’s privacy and information.” As we previously reported, the forum intends to discuss to what extent commercial surveillance practices or lax security measures harm consumers, including children and teenagers; how the FTC should balance the costs and benefits of existing or emergent commercial surveillance and data security practices and rules that would address them; and how, if at all, the FTC should regulate harmful commercial surveillance or data security practices.

On August 24, 2022, California Attorney General Rob Bonta announced the Office of the Attorney General’s (“OAG’s”) first settlement of a California Consumer Privacy Act (“CCPA”) enforcement action, against Sephora, Inc.

On August 10, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued a new interpretive rule clarifying when digital marketing providers must comply with federal consumer financial protection law. Under the new rule, Big Tech companies that use behavioral advertising techniques to market financial products will be subject to the Consumer Financial Protection Act of 2010 (“CFPA”).

On August 8, 2022, Commissioner Noah Joshua Phillips announced that he plans to resign from the Federal Trade Commission in the fall after serving four years with the agency. Phillips was appointed by former President Donald Trump in May 2018 and is one of the two Republican commissioners on the FTC alongside Commissioner Christine S. Wilson. Commissioner Phillips had served as chief counsel to Sen. John Cornyn (R-Texas) before joining the FTC.

On July 29, 2022, the New York Department of Financial Services (“NYDFS”) posted proposed amendments (“Proposed Amendments”) to its Cybersecurity Requirements for Financial Services Companies (“Cybersecurity Regulations”). The Proposed Amendments would expand upon the set of prescriptive cybersecurity requirements applicable to all covered financial institutions, as well as impose more stringent requirements for “Class A Companies” (as defined below). There will be a brief pre-proposal comment period, followed by the official publication of the Proposed Amendments, which will trigger a new 60-day comment period. Below are the key changes introduced by the Proposed Amendments.

On August 11, 2022, the Federal Trade Commission announced it is seeking public comment regarding its advance notice of proposed rulemaking (“ANPR”) on commercial surveillance and data security, on which we previously reported. The FTC defines “commercial surveillance” as the business of collecting, analyzing and profiting from consumer data.

On July 22, 2022, T-Mobile entered into an agreement to settle a class action lawsuit stemming from its 2021 data breach. The breach involved the personal information of 76.6 million U.S. residents and was T-Mobile’s fifth breach over a four year period. The proposed settlement will require T-Mobile to pay $500 million to settle customers’ claims and to bolster its cybersecurity practices.  

On July 28, 2022, the California Privacy Protection Agency (“CPPA”) Board will hold a remote, special public meeting at 9AM PDT to discuss possible action on proposed federal privacy legislation, including the American Data Privacy and Protection Act (“ADPPA”), according to the Board’s publicly released agenda.

On July 20, 2022, the U.S. House of Representatives Committee on Energy and Commerce (the “Committee”) passed H.R. 8152, the American Data Privacy and Protection Act (“ADPPA”) (as amended), by a vote of 53-2. The ADPPA next will be put before the full House for a vote.

On July 1, 2022, the California Privacy Protection Agency (“CPPA”) sent U.S. House of Representatives Speaker Nancy Pelosi a memo outlining how H.R. 8152, the bipartisan American Data Privacy and Protection Act (“ADPPA” or the “Act”), would lessen privacy protections for Californians, and California Democrats have joined the cause.

The CPPA’s memo asserts that the ADPPA, by preempting the California Privacy Rights Act (“CPRA”) and other state privacy laws, proposes to eliminate:

On July 6, 2022, the Better Business Bureau National Programs’ Children’s Advertising Review Unit (“CARU”) announced that it had found Outright Games in violation of the Children’s Online Privacy Protection Act (“COPPA”) and CARU’s Self-Regulatory Guidelines for Advertising and Guidelines for Children’s Online Privacy Protection. Outright Games owns and operates the Bratz Total Fashion Makeover app, which CARU determined to be a “mixed audience” child-directed app subject to COPPA and CARU’s Guidelines due to the app’s subject matter, bright colors, visual content, lively audio and gameplay features.

On June 30, 2022, the New York Office of the Attorney General (“NYOAG”) announced a $400,000 agreement with Wegmans Food Markets, Inc. (“Wegmans”) in connection with a cloud storage security issue. The NYOAG alleges that Wegmans exposed the personal information of three million consumers by storing the data in misconfigured cloud storage containers.

On July 11, 2022, the Federal Trade Commission’s Bureau of Consumer Protection issued a business alert on businesses’ handling of sensitive data, with a particular focus on location and health data. The alert describes the “opaque” marketplace in which consumers’ location and health  data is collected and exchanged amongst businesses and the concerns and risks associated with the processing of such information. The alert specifically focuses on the “potent combination” of location data and user-generated health and biometric data (e.g., through the use of wellness and fitness apps and the sharing of face and other biometric data for app/device authentication purposes). According to the alert, the combination of location and health data “creates a new frontier of potential harms to consumers.”

On July 8, 2022, President Biden issued an Executive Order titled, “Protecting Access to Reproductive Health Care Services,” in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization that overturned Roe v. Wade. The Executive Order aims, in part, to “ [p]rotect[] the privacy of patients and their access to accurate information” regarding reproductive health care services. It directs the Department of Health and Human Services (“HHS”) and the Federal Trade Commission to take certain steps to address the potential threat to patient privacy caused by the transfer and sale of sensitive health-related data, and by digital surveillance related to reproductive health care services from fraudulent schemes or deceptive practices.

On July 8, 2022, the California Privacy Protection Agency Board (“CPPA Board”) began the formal rulemaking process to establish regulations promulgating the amendments made to the California Consumer Privacy Act (“CCPA”) by the California Privacy Rights Act (“CPRA”) (collectively, the “CCPA/CPRA”). The CPPA Board issued a formal Notice of Proposed Rulemaking and Initial Statement of Reasons, and released the proposed regulations. The 45-day public comment period has now begun.

On June 22, 2022, the Federal Trade Commission submitted an updated abstract to the Office of Information and Regulatory Affairs indicating that it is considering initiating a rulemaking under Section 18 of the FTC Act to curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.

On June 24, 2022, the New York State Department of Financial Services (“NYDFS” or the “Department”) announced it had entered into a $5 million settlement with Carnival Corp. (“Carnival”), the world’s largest cruise-ship operator, for violations of the Cybersecurity Regulation (23 NYCRR Part 500) in connection with four cybersecurity events between 2019 and 2021, including two ransomware events.  

On June 21, 2022, the Colorado Attorney General’s Office announced it is seeking informal input from the public on its rulemaking related to the Colorado Privacy Act (“CPA”). Before starting its formal rulemaking process, the Office has indicated it wants to better “understand the community’s thoughts and concerns about data privacy.”

On June 16, 2022, the Federal Trade Commission issued a report to Congress titled Combatting Online Harms Through Innovation (the “Report”) that urges policymakers and other stakeholders to exercise “great caution” about relying on artificial intelligence (“AI”) to combat harmful online content.

On June 23, 2022, the U.S. House of Representatives Subcommittee on Consumer Protection and Commerce passed by voice vote H.R. 8152, the American Data Privacy and Protection Act (“ADPPA”). This bipartisan legislation, sponsored by House Energy and Commerce Committee Chairman Frank Pallone (D-NJ), committee Ranking Republican Cathy McMorris Rodgers (R-WA), subcommittee Chairman Jan Schakowsky (D-IL) and subcommittee Ranking Republican Gus Bilirakis (R-FL), is based on the bipartisan, bicameral “Three Corners” draft bill released on June 2, 2022 with the support of Pallone, Rodgers and Senate Commerce Committee Ranking Republican Roger Wicker (R-MS). 

On June 3, 2022, the Federal Trade Commission announced it is seeking public comment on its 2013 guidance, “.com Disclosures: How to Make Effective Disclosures in Digital Advertising” (the “Guidance”). The FTC indicated that it is updating the Guidance to better protect consumers against online deceptive practices, particularly because some companies have interpreted the current version of Guidance to “justify practices that mislead consumers online.” For example, the FTC explains that companies have wrongfully claimed they can avoid FTC Act liability by placing required disclosures behind hyperlinks. The updated Guidance will address issues such as advertising on social media, in video games, in virtual reality environments, and on mobile devices and applications, as well as the use of dark patterns, manipulative user interface designs, multi-party selling arrangements, hyperlinks and online disclosures.

On June 3, 2022, House Energy and Commerce Chair Rep. Frank Pallone (D-NJ), Ranking Member Rep. Cathy McMorris Rodgers (R-WA) and Senate Commerce, Science and Transportation Committee Ranking Member Sen. Roger Wicker (R-MS) released a new comprehensive federal privacy bill, the American Data Privacy and Protection Act (“ADPPA”).

On May 4-6, 2022, the California Privacy Protection Agency (“CPPA”) held via video conference several public pre-rulemaking stakeholder sessions regarding the California Privacy Rights Act (“CPRA”). During the sessions, stakeholders ranging from privacy and cybersecurity experts to trade associations and California small business owners provided verbal comments, insights and suggestions to the CPPA as it develops the forthcoming CPRA regulations. The sessions focused on a number of issues, including automated decision-making, data minimization and purpose limitation, dark patterns, consumers’ rights (e.g., opt-out rights, limitation on the use of sensitive personal information), and cybersecurity audits and risk assessments. Comments and positions taken amongst the stakeholders varied. Some of the positions taken by stakeholders are summarized below:

On May 10, 2022, Connecticut Governor Ned Lamont signed An Act Concerning Personal Data Privacy and Online Monitoring, after the law was previously passed by the Connecticut General Assembly in April. Connecticut is now the fifth state to enact a consumer privacy law.

On April 28, 2022, the Federal Trade Commission published a Notice of Proposed Rulemaking (“NPRM”) and an Advance Notice of Proposed Rulemaking (“ANPRM”), proposing several updates to the Telemarketing Sale Rules (“TSR”).

On April 11, 2022, Virginia Governor Glenn Youngkin signed into law three bills that amend the Virginia Consumer Data Protection Act (“VCDPA”) ahead of the VCDPA’s January 1, 2023 effective date. The bills, HB 381, HB 714 and SB 534, (1) add a new exemption to the VCDPA’s right to delete; (2) modify the VCDPA’s definition of “nonprofit”; and (3) abolish the Consumer Privacy Fund.

On April 12, 2022, Colorado Attorney General Phil Weiser made remarks at the International Association of Privacy Professionals Global Privacy Summit in Washington, D.C., where he invited stakeholders to provide informal public comments on the Colorado Privacy Act (“CPA”) rulemaking.

On April 11, 2022, Federal Trade Commission Chair Lina Khan spoke at the opening of the International Association of Privacy Professionals’ Global Privacy Summit. This speech marks Khan’s first major privacy address since her appointment last June.

On March 29 and March 30, 2022, the California Privacy Protection Agency (“CPPA”) held via video conference two public pre-rulemaking informational sessions regarding the California Privacy Rights Act (“CPRA”). During the sessions, members of the California Attorney General’s Office and various privacy and cybersecurity experts led discussions on topics such as the sale and sharing of personal information, dark patterns, data privacy impact assessments, cybersecurity audits and automated decision-making. The CPPA Board has not at this time responded to the views expressed by the experts at the meetings.

On March 18, 2022, Indiana Governor Eric Holcomb signed into law an amendment to Indiana’s data breach notification statute. The amendment requires notification of a data breach to affected individuals and the Indiana Attorney General without unreasonable delay, but no later than forty-five (45) days after discovery of the breach. The amendment will take effect on July 1, 2022.

On March 25, 2022, the U.S. District Court for the Northern District of Illinois approved a $1.1 million settlement with TikTok Inc. (“TikTok”) to resolve claims that TikTok collected children’s data and sold it to third parties without parental consent. The plaintiffs sued TikTok in 2019, alleging that TikTok did not seek verifiable parental consent prior to collecting personal information of children under 13 on the popular video platform in violation of the Children’s Online Privacy Protection Act. The complaint further alleged that TikTok disclosed and sold user data, including lip-syncing videos created by children who used a TikTok-affiliated app called Musical.ly, to third parties, without parental consent. The $1.1 million settlement will be distributed among class members, who consist of U.S. users who, prior to the settlement’s effective date and while under the age of 13, registered for or used TikTok or Musical.ly.

On March 29 and March 30, 2022, the California Privacy Protection Agency (“CPPA”) will hold public pre-rulemaking informational sessions regarding the California Privacy Rights Act (“CPRA”) via video conference. As we previously reported, the CPPA, which has rulemaking authority under the CPRA and will be responsible for implementing and enforcing the CPRA, recently estimated that it will not publish final CPRA regulations until the third or fourth quarter of 2022.

On March 15, 2022, the Federal Trade Commission (FTC) announced a proposed settlement with custom merchandise platform CafePress in connection with the company’s alleged failure to implement reasonable security measures, and its alleged attempt to cover up a 2019 data breach. The proposed settlement would require CafePress to implement a comprehensive data security program and pay $500,000 in redress to affected individuals.

On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA resembles Virginia’s Consumer Data Protection Act (“VCDPA”) and Colorado’s Consumer Privacy Act (“CPA”), and, to a lesser extent, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”). The UCPA will take effect on December 31, 2023.

On March 10, 2022, in its first formal written opinion interpreting the California Consumer Privacy Act’s (“CCPA’s”) compliance obligations, the California Attorney General (“AG”) confirmed that the CCPA grants a consumer the right to access inferences drawn from personal information collected about the consumer, even if such inferences are generated by the business (unless the business can demonstrate that a statutory exception to the CCPA applies). The opinion also makes clear that the CCPA does not require businesses to disclose trade secrets in response to access requests. The decision interprets the CCPA’s existing language, as opposed to creating new obligations with respect to access requests made pursuant to the CCPA.

On March 9, 2022, the Biden Administration released its much-anticipated “Executive Order on Ensuring Responsible Development of Digital Assets” (“Executive Order”). The White House describes the Executive Order as the “first whole-of-government strategy” on digital assets and attempts to strike a balance between encouraging innovation and U.S. leadership in the digital asset space, while signaling an appetite to protect against a variety of stated risks through additional regulation and legislation.

On March 2, 2022, eight states announced a bipartisan, nationwide investigation into whether TikTok operates in a way that causes or exacerbates harm to the physical and mental health of children, teens and young adults. The probe will further consider whether the company violated state consumer protection laws and put the public at risk.

On March 1, 2022, President Biden, in his first State of the Union address, called on Congress to strengthen privacy protections for children, including by banning online platforms from excessive data collection and targeted advertising for children and young people. President Biden called for these heightened protections as part of his unity agenda to address the nation’s mental health crisis, especially the growing concern about the harms of digital technologies, particularly social media, to the mental health and well-being of children and young people. President Biden not only urged for stronger protections for children’s data and privacy, but also for interactive digital service providers to prioritize safety-by-design standards and practices. In his address, President Biden called on online platforms to “prioritize and ensure the health, safety and well-being of children and young people above profit and revenue in the design of their products and services.” President Biden also called for a stop to “discriminatory algorithmic decision-making that limits opportunities” and impacts the mental well-being of children and young people.

On February 18, 2022, California Assembly Member Evan Low (D) introduced a pair of bills – AB 2871 and AB 2891 – that would extend the duration of the current exemptions in the California Consumer Privacy Act (“CCPA”) (as amended by the California Privacy Rights Act (“CPRA”)) for certain HR data and business-to-business (“B2B”) customer representative personnel data from most of the law’s requirements. The existing temporary “HR” and “B2B” exemptions were first introduced through amendments to the CCPA, and were extended by the CPRA, under which the exemptions will sunset on the CPRA’s compliance deadline, January 1, 2023.

On February 17, 2022, the California Privacy Protection Agency (“CPPA”) announced at a board meeting that it will delay the publication of final regulations under the California Privacy Rights Act (“CPRA”). As drafted, the CPRA provides for regulations to be finalized by July 1, 2022, to allow for a six-month compliance window ahead of the law’s January 1, 2023 effective date. However, the CPPA estimated that it will not publish final regulations until the third or fourth quarter of 2022. The CPPA also indicated that it may not issue draft regulations until June 2022. The CPPA cited delays in hiring staff and beginning operations as reasons for the delayed rulemaking process.

The Federal Trade Commission has reached a settlement with WW International, Inc. and Kurbo, Inc. over allegations the companies improperly registered children for the “Kurbo by WW” online weight loss management program. In pleadings filed on February 16, 2022, in federal court in the Northern District of California, the FTC claims WW and Kurbo offered a service that was tailored for children but that failed to ensure parental involvement in the registration process. According to the FTC, the defendants created an age gate that children could easily evade, and that ...

On February 18, 2022, the Texas Attorney General’s Office (the “Texas AG”) announced that it had issued two Civil Investigative Demands (“CIDs”) to TikTok Inc. The Texas AG’s investigation focuses on TikTok’s alleged violations of children’s privacy and facilitation of human trafficking, along with other potential unlawful conduct.

On February 14, 2022, Noom Inc., a popular weight loss and fitness app, agreed to pay $56 million, and provide an additional $6 million in subscription credits to settle a putative class action in New York federal court. The class is seeking conditional certification and has urged the court to preliminarily approve the settlement.

On February 14, 2022, Texas Attorney General Ken Paxton brought suit against Meta, the parent company of Facebook and Instagram, over the company’s collection and use of biometric data. The suit alleges that Meta collected and used Texans’ facial geometry data in violation of the Texas Capture or Use of Biometric Identifier Act (“CUBI”) and the Texas Deceptive Trade Practices Act (“DTPA”). The lawsuit is significant because it represents the first time the Texas Attorney General’s Office has brought suit under CUBI.

On January 24, 2022, a group of state attorneys general (Indiana, Texas, D.C. and Washington) (the “State AGs”) announced their commitment to ramp up enforcement work on “dark patterns” that are used to ascertain consumers’ location data. The State AGs created a plan to initiate lawsuits alleging that consumers of certain online services are falsely led to believe that they can prevent the collection of their location data by changing their account and device settings, when the online services do not, in fact, honor such settings. The State AGs have alleged that this practice constitutes a deceptive and unlawful trade practice under applicable state consumer protection law. The State AGs’ announcement highlights the underlying concern that consumers may be provided with a choice to opt out of location tracking but still have their location data made accessible to certain online service providers.

On January 28, 2022, in celebration of Data Privacy Day, the Colorado Attorney General’s Office issued prepared remarks from Colorado Attorney General Phil Weiser and published guidance on data security best practices. In his remarks, Attorney General Weiser highlighted the importance of protecting data security and outlined his office’s plans for implementing the Colorado Privacy Act (“CPA”), which takes effect July 1, 2023.

On January 28, 2022, California Attorney General Rob Bonta published a statement regarding recent investigations conducted by the California Office of Attorney General (“AG”) with respect to businesses operating loyalty programs and their compliance with the California Consumer Privacy Act’s (“CCPA’s”) financial incentive requirements. As a result of the investigations, the AG’s Office sent non-compliance notices to major corporations across multiple sectors, including retail, food services, travel and home improvement. The businesses have 30 days to cure the alleged CCPA violations and bring their loyalty programs into compliance with the CCPA. Otherwise, enforcement action can be initiated.

On January 21, 2022, the Federal Trade Commission published two new resources for complying with the Health Breach Notification Rule (the “Rule”). In September 2021, the FTC issued a Policy Statement clarifying that the Rule applies to makers of health apps, connected devices and similar products. As we previously blogged, the Rule requires vendors of personal health records (“PHR”), PHR-related entities and service providers to these entities, to notify consumers and the FTC (and, in some cases, the media) in the event of a breach of unsecured identifiable health information, including cybersecurity intrusions and other instances of unauthorized access.

On January 6, 2022, the Federal Trade Commission reached a $1.5 million settlement with loan application company ITMedia Solutions LLC (“ITMedia”) over alleged violations of the FTC Act and Fair Credit Reporting Act (“FCRA”). The FTC alleged that ITMedia deceptively acquired and indiscriminately shared consumers’ sensitive personal information under the guise of connecting them with lenders.

On January 5, 2022, the New York Office of the Attorney General (“NY AG”) announced the results of an investigation into “credential stuffing,” which uncovered 1.1 million compromised accounts from cyberattacks on 17 well-known companies. The announcement included a “Business Guide for Credential Stuffing Attacks,” (the “Guide”) detailing the attacks and providing tips for businesses to protect themselves.

On December 27, 2021, the Federal Trade Commission sought public comment on a petition filed by Accountable Tech calling on the FTC to use its rulemaking authority to prohibit “surveillance advertising” as an “unfair method of competition” (“UMC”). Accountable Tech is a non-profit organization that advocates for social media companies to strengthen the integrity of their platforms.

On December 15, 2021, the New Jersey Acting Attorney General Andrew J. Bruck announced that its Division of Consumer Affairs had reached a $425,000 settlement with New Jersey-based providers of cancer care, Regional Cancer Care Associates LLC, RCCA MSO LLC and RCCA MD LLC (collectively, “RCCA”), over alleged failures to adequately safeguard patient data.

On November 18, 2021, the Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency issued a new rule regarding cyber incident reporting obligations for U.S. banks and service providers.

On October 21, 2021, the Consumer Financial Protection Bureau (“CFPB”) issued orders to Google, Apple, Facebook, Amazon, Square and PayPal requesting detailed information about their business practices in relation to payment systems they operate. The CFPB issued the orders pursuant to its statutory authority under the Consumer Financial Protection Act.

On October 27, 2021, the Federal Trade Commission announced significant amendments to the agency’s Safeguards Rule (the “Final Rule”). Promulgated in 2002 pursuant to the Gramm-Leach-Bliley Act, the Safeguards Rule obligates covered financial institutions to develop, implement and maintain a comprehensive information security program that complies with the Rule’s requirements.